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Abstract. Acceleration in symbolic verification consists in computing 
the exact efi^ect of some control-flow loops in order to speed up the iter- 
ative fix-point computation of reachable states. Even if no termination 
guarantee is provided in theory, successful results were obtained in prac- 
tice by different tools implementing this framework. In this paper, the 
acceleration framework is extended to data-fiow analysis. Compared to 
a classical widening/narrowing-based abstract interpretation, the loss of 
precision is controlled here by the choice of the abstract domain and does 
not depend on the way the abstract value is computed. Our approach 
is geared towards precision, but we don't loose efficiency on the way. 
Indeed, we provide a cubic-time acceleration-based algorithm for solving 
interval constraints with full multiplication. 



1 Introduction 

Model-checking safety properties on a given system usually reduces to the com- 
putation of a precise enough invariant of the system. In traditional symbolic veri- 
fication, the set of all reachable (concrete) configurations is computed iteratively 
from the initial states by a standard fix-point computation. This reachability set 
is the most precise invariant, but quite often (in particular for software systems) a 
much coarser invariant is sufficient to prove correctness of the system. Data-fiow 
analysis, and in particular abstract interpretation [CC77], provides a powerful 
framework to develop analysis for computing such approximate invariants. 

A data-fiow analysis of a program basically consists in the choice of a (poten- 
tially infinite) complete lattice of data properties for program variables together 
with transfer functions for program instructions. The merge over all path (MOP) 
solution, which provides the most precise abstract invariant, is in general over- 
approximated by the minimum fix-point (MFP) solution, which is computable 
by Kleene fix-point iteration. However the computation may diverge and widen- 
ing/narrowing operators are often used in order to enforce convergence at the 
expense of precision [CC77, CC92]. While often providing very good results, the 
solution computed with widenings and narrowings may not be the MFP solu- 
tion. This may lead to abstract invariants that are too coarse to prove safety 
properties on the system under check. 

Techniques to help convergence of Kleene fix-point iterations have also been 
investigated in symbolic verification of infinite-state systems. In these works, the 



objective is to compute the (potentially infinite) reachability set for automata 
with variables ranging over unbounded data, such as counters, clocks, stacks or 
queues. So-called acceleration techniques (or meta-transitions) have been devel- 
opped [BW94, BGWW97, CJ98, FIS03, FL02] to speed up the iterative com- 
putation of the reachability set. Basically, acceleration consists in computing 
in one step the effect of iterating a given loop (of the control flow graph). Ac- 
celerated symbolic model checkers such as Lash [Las], TReX [ABSOl], and 
Fast [BFLP03] successfully implement this approach. 

Our contribution. In this paper, we extend acceleration techniques to data-flow 
analysis and we apply these ideas to interval analysis. Acceleration techniques 
for (concrete) reachability set computations may be equivalently formaHzed "se- 
mantically" in terms of control-flow path languages [LS05] or "syntactically" in 
terms of control-flow graph unfoldings [BFLS05]. We extend these concepts to 
the MFP solution in a generic data-flow analysis framework, and we establish 
several links between the resulting notions. It turns out that, for data-flow anal- 
ysis, the resulting "syntactic" notion, based on graph flattenings, is more general 
that the resulting "semantic" notion, based on restricted regular expressions. We 
then propose a generic flattening-based semi-algorithm for computing the MFP 
solution. This semi-algorithm may be viewed as a generic template for applying 
acceleration-based techniques to constraint solving. 

We then show how to instantiate the generic flattening-based semi-algorithm 
in order to obtain an efficient constraint solver^ for integers, for a rather large 
class of constraints using addition, (monotonic) multiplication, factorial, or any 
other bounded-increasing function. The intuition behind our algorithm is the 
following: we propagate constraints in a breadth-flrst manner as long as the 
least solution is not obtained, and variables involved in a "useful" propagation 
are stored in a graph-Hke structure. As soon as a cycle appears in this graph, 
we compute the least solution of the set of constraints corresponding to this 
cycle. It turns out that this acceleration-based algorithm always terminates in 
cubic-time. 

As the main result of the paper, we then show how to compute in cubic- 
time the least solution for interval constraints with full addition and multiplica- 
tion, and intersection with a constant. The proof uses a least-solution preserving 
translation from interval constraints to the class of integer constraints introduced 
previously. 

Related work. In [Kar76], Karr presented a polynomial-time algorithm that 
computes the set of all affine relations that hold in a given control location of 
a (numerical) program. Recently, the complexity of this algorithm was revisited 
in [MOS04] and a flne upper-bound was presented. For interval constraints with 
affine transfer functions, the exact least solution may be computed in cubic- 
time [SW04]. Strategy iteration was proposed in [CGG+05] to speed up Kleene 
flx-point iteration with better precision than widenings and narrowings, and this 

^ By solver, we mean an algorithm computing the least solution of constraint systems. 
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approach has been developped in [TG07] for interval constraint solving with full 
addition, multiplication and intersection. Strategy iteration may be viewed as 
an instance of our generic flattening-based semi-algorithm. The class of interval 
constraints that we consider in this paper contains the one in [SW04] (which 
does not include interval multiplication) but it is more restrictive than the one 
in [TG07]. We are able to maintain the same cubic-time complexity as in [SW04], 
and it is still an open problem whether interval constraint solving can be per- 
formed in polynomial-time for the larger class considered in [TG07]. 

Outline. The paper is organized as follows. Section 2 presents our acceleration- 
based approach to data-flow analysis. We then focus on interval constraint-based 
data-flow analysis. Wc present in section 3 a cubic-time algorithm for solving a 
large class of constraints over the integers, and we show in section 4 how to trans- 
late interval constraints (with multipHcation) into the previous class of integer 
constraints, hence providing a cubic-time algorithm for interval constraints. Sec- 
tion 5 presents some ideas for future work. Please note that most proofs are only 
sketched in the paper, but detailed proofs are given in appendix. This paper is 
the long version of our SAS 2007 paper. 

2 Acceleration in Data Flow Analysis 

This section is devoted to the notion of acceleration in the context of data- 
flow analysis. Acceleration techniques for (concrete) reachability set computa- 
tions [BW94, BGWW97, CJ98, FIS03, FL02, LS05, BFLS05] may be equiva- 
lently formulated in terms of control-flow path languages or control-flow graph 
unfoldings. We shall observe that this equivalence does not hold anymore when 
these notions are lifted to data-flow analysis. All results in this section can easily 
be derived from the deflnitions, and they are thus presented without proofs. 

2.1 Lattices, words and graphs 

Wc respectively denote by N and Z the usual sets of nonncgative integers and 
integers. For any set S, we write P{S) for the set of subsets of S. The identity 
function over S is written Ig, and shortly 1 when the set S is clear from the 
context. 

Recall that a complete lattice is any partially ordered set {A, □) such that 
every subset X C A has a least upper bound \_\X and a greatest lower bound 
\~\X. The supremum \_\A and the infimum \~\A are respectively denoted by T 
and -L. A function / G ^4 ^ ^4 is monotonic if f{x) □ /(y) for all x C y in A. 
Recall that from Knaster-Tarski's Fix-point Theorem, any monotonic function 
f € A —>■ A has a least fix-point given by P| {o € ^ | /(a) C a}. For any 
monotonic function f € A A, we denote by /* the monotonic function in 
A ^ A deflned by f*{x) = \~\{a e A \ {xU /(a)) C a}, in other words f*{x) is 
the least post-flx-point of / greater than x. 



3 



For any complete lattice {A, C) and any set S, we also denote by !^ the 
partial order on S ^ A defined as the point-wise extension of C, i.e. f ^ g 
iff f{x) C g{x) for all x £ S. The partially ordered set {S A, C) is also a 
complete lattice, with lub |J and gib fl satisfying (|J F){s) = |J {/(s) | / S F} 
and (PI F){s) = \~\ {/(s) | / G F} for any subset F C S ^ A. Given any integer 
n > 0, we denote by A" the set of n-tuples over A. We identify A" with the set 
{1, . . . , n} A, and therefore A" equipped with the point- wise extension of C 
also forms a complete lattice. 

Let S be an alphabet (a finite set of letters). We write E* for the set of all 
(finite) words Iq • ■ ■!„ over S, and e denotes the empty word. Given any two 
words X and y, we denote hy x ■ y (shortly written xy) their concatenation. A 
subset of E* is called a language. 

A (directed) grap/« is any pair G = {V, ^) where ^ is a set of vertices and 
— > is a binary relation over V. A pair (v, v') in is called an edge. A (finite) 
path in G is any (non-empty) sequence wq, ■ . ■ jWfe of vertices, also written vq 
Vi - • ■ Vk-i Vk, such that )v_i Vi for all 1 < i < k. The nonnegative integer 
k is called the length of the path, and the vertices vq and Vk are respectively 
called the source and target of the path. A cyc/e on a vertex v is any path of 
non-zero length with source and target equal to t;. A cycle with no repeated 
vertices other than the source and the target is called elementary. We write ^ 
for the refiexive-transitive closure of — >. A strongly connected component (shortly 
sec) in G is any equivalence class for the equivalence relation onV defined 
by: V A v' if v A v' and v' A v. We say that an SCO is cyclic when it contains 
a unique elementary cycle up to cyclic permutation. 

2.2 Programs and data-flow solutions 

For the rest of this section, we consider a complete lattice {A, □). In our setting, 
a program will represent an instance (for some concrete program) of a data-fiow 
analysis framework over (A.Q). To simplify the presentation, we will consider 
programs given as unstructured collections of commands (this is not restrictive 
as control-fiow may be expressed through variables). 

Formally, assume a finite set X of variables. A command on X is any tuple 
{Xi, . . . , Xn', /; X), also written X := f(Xi, .... X„), where n G N is an arity, 
Xi,. . . , Xn € X are pairwise disjoint input variables, / G A" ^ A is a monotonic 
transfer function, and X G A" is an output variable. Intuitively, a command 
X := f{Xi. . . . ,Xn) assigns variable X to f{Xi, . . . ,Xn) and lets all other 
variables untouched. A valuation on X is any function p'm X ^ A. The data-flow 
semantics |c] of any command c = {X\, . . . , X„; /; X) on X is the monotonic 
function in (X ^ A) ^ {X ^ A) defined by |[c](p)(X) = /(p(Xi), . . . ,p(X„)) 
and M(p){Y) = p{Y) for all Y ^X. 

A program over {A, □) is any pair 7 = {X, C) where A" is a finite set of 
variables and C is a finite set of commands on X. 
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Example 2.1. Consider the C-style source code given on the left-hand side below, 
that we want to analyse with the complete lattice (X, ^) of intervals of Z. The 
corresponding program £ is depicted graphically on the right-hand side below. 



1 X = 1; 

2 while (x < 100) { 

3 if (x > 50) X = x-3; 

4 else X = x+2; 

« } 



Formally, the set of variables of £ is {Xi, X2, X3, X5}, representing the value 
of the variable x at program points 1, 2, 3 and 5. The set of commands of £ is 

{co,ci,C2,C3,C4,C5}, with: 

Co : Xi := T C3 : X2 (X3 n [50, +00]) - {3} 

ci: X2 := ({0}.Xi) + {l} C4: X2 := (X3n] -^,49]) + {2} 

C2 : X3 := X2 n] - oc, 100] C5 : := X2 □ [101. +oo[ 

We will use language-theoretic terminology and notations for traces in a 
program. A trace in 7 is any word ci • • • Cfc over C. The empty word e denotes 
the empty trace and C* denotes the set of all traces in The data-flow semantics 
is extended to traces in the obvious way: fe] = 1 and [c • cr] = |cr] o |c]. Observe 
that [[fj • (t'J = [[(t'] o for every a, a' € C* . We also extend the data-flow 
semantics to sets of traces by \L\ = Llo-ei I'^l every L C C* . Observe that 
|L] is a monotonic function in {X A) ^ {X ^ A), and moreover |Li U ^2] = 
|Li]ulL2l for every L^L^CC*. 

Given a program T = {X,C) over {A,Q), the minimum fix-point solution 
(MFP-solution) of T, written Tly, is the valuation defined as follows: 

Av = \~\ {peX^A \ [cKp) C p for all c G C} 

Example 2.2. The MFP-solution of the program £ from Example 2.1 is the val- 
uation: 

As = {Xi ^J, [1, 51], X3 ^ [1, 51], ^ ±} 

Recall that we denote by |C]*(p) the least post-fix-point of |C] greater than 
p. Therefore it follows from the definitions that A-p = [JC]*(_L). In our framework, 
the merge over all paths solution (MOP-solution) may be defined as the valuation 
|[C*](_L), and the following proposition recalls well-known links between the 
MOP-solution, the MFP-solution and the ascending Kleene chain. 

Proposition 2.3. For any program T = {X,C) over a complete lattice {A, C), 
we have: 

lC*j{±) □ □ lCt{±) Q lCr{±) = Ay 
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2.3 Accelerability and flattening 

We now extend notions from accelerated symbolic verification to this data-fiow 
analysis framework. Acceleration in symbolic verification was first introduced 
semantically, in the form of meta-transitions [BW94, BGWW97], which basically 
simulate the effect of taking a given control-flow loop arbitrarily many times. 
This leads us to the following proposition and deflnition. 

Proposition 2.4. Let T = {X, C) denote a program over (A, For any lan- 
guages Li,...,LkQ C* , we have {{Lkl* o • ■ • o |Li]*)(_L) C Ay. 

Deflnition 2.5. A program V = {X,C) over a complete lattice {A, C) is called 
MFP-accelerable if A-y — {\(Jk\* o- ■ •o|(7i]*)(_L) for some words cti, . . . , tJfc G C*. 

The following proposition shows that any program T for which the ascending 
Kleene chain stabilizes after flnitely many steps is MFP-accelerable. 

Proposition 2.6. Let ? = {X,C) denote a program over {A,C.). If we have 
|[C]''(_L) = Ay for some fc £ N, then "? is MFP-accelerable. 

Acceleration in symbolic verification was later expressed syntactically, in 
terms of fiat graph unfoldings. When lifted to data-fiow analysis, this leads to 
a more general concept than accelerability, and we will show that these two no- 
tions coincide for "concrete" programs (as in symbolic verification) . We say that 
a program T is single-input if the arity of every command in T is at most 1. 

Given a program T = {X, C) over (A, C), an unfolding of T is any pair (J", k) 
where 3" = (A", C) is a program and n & X' ^ X is a variable renaming, and 
such that {k{X[), . . . , k(X^); /; k{X')) is a command in C for every command 
{X'l, . . . , X'.^] f ; X') in C . The renaming k induces a Galois surjection {X' — > 

A, C) < ) [X —> A, C) where ^ and it are defined as expected by ^(p) = poK 
and^(p')(X)= □ p'(X'). 

k{X')=X 

We associate a bipartite graph to any program in a natural way: vertices are 
either variables or commands, and edges denote input and output variables of 
commands. Formally, given a program 3" = {X,C), the program graph of T is 
the labeled graph Gy where A:" U C is the set of vertices and with edges (c, X) 
and {Xi, c) for every command c = (Xi, . . . , X„; /; X) in C and 1 < i < n. We 
say that T is flat if there is no SCC in Gy containing two distinct commands 
with the same output variable. A flattening of T is any unfolding (J", k) of T 
such that y is flat. 

Example 2.7. A flattening of the program £ from Example 2.1 is given below. 
Intuitively, this flattening represents a possible unrolling of the while-loop where 
the two branches of the inner conditional alternate. 
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Lemma 2.8. Let CP = (Af, C) denote a program over {A, C). For any unfolding 
(?', k) of T, with r = (A", C), we have "k o |[C"f o C |[Cf . 

Proposition 2.9. Let J" = (Af, C) denote a program over {A,Q). For any un- 
folding ofy, we have ~k{A'j>>) C yly. 

Definition 2.10. A program T = (A", C) over a complete lattice {A, C) is called 
MFP-flattable if Ay = itiA^yi) for some flattening (J", k) of 

Observe that any fiat program is trivially MFP-flattable. The following propo- 
sition establishes Unks between accelerability and flattability. As a corollary to 
the proposition, we obtain that MFP-accelerability and MFP-flattability are 
equivalent for single-input programs. 

Proposition 2.11. The following relationships hold for programs over {A, C); 
i) MFP-accelerability implies MFP-flattability. 

a) MFP-flattability implies MFP-accelerability for single-input programs. 

Proof (Sketch). To prove i), we use the fact that for every words ai, ■■ - jCrk € 
C*, there exists a finite-state automaton A without nested cycles recognizing 
al • ■ - a^.. The "product" of any program CP with A yields a flattening that "sim- 
ulates" the effect of ctJ • • • cr^ on 7. To prove ii) , we observe that for any flat 
single-input program each non-trivial SCC of Gy is cyclic. We pick a "cyclic" 
trace (which is unique up to circular permutation) for each SCC, and we arrange 
these traces to prove that J" is accelerable. Backward preservation of accelera- 
bility under unfolding concludes the proof. □ 

Remark 2.12. For any labeled transition system § with a set S of states, the for- 
ward collecting semantics of S may naturally be given as a single-input program 
CP§ over (IP(<S'), C). With respect to this translation (from S to Tg), the notion of 
flattability devcloppcd for accelerated symbolic verification of labeled transition 
systems coincide with the notions of MFP-accelerability and MFP-flattability 
deflned above. 

Recall that our main goal is to compute (exact) MFP-solutions using accele- 
ration-based techniques. According to the previous propositions, flattening-bascd 
computation of the MFP-solution seems to be the most promising approach, and 
we will focus on this approach for the rest of the paper. 
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2.4 Generic flattening-based constraint solving 



It is well known that the MFP-solution of a program may also be expressed 
as the least solution of a constraint system, and we will use this formulation 
for the rest of the paper. We will use some new terminology to reflect this 
new formulation, however notations and definitions will remain the same. A 
command {Xi, . . . , Xn', f; X) will now be called a constraint, and will also be 
written X □ .f{Xi, . . . ,X„). A program over {A, C) will now be called a con- 
straint system over {A, C), and the MFP-solution will be called the least solution. 
Among all acceleration-based notions defined previously, we will only consider 
MFP-fiattability for constraint systems, and hence we will shortly write flattable 
instead of MFP-fiattable. 

Given a constraint system T = {X, C) over {A, C), any valuation p £ X ^ A 
such that p C IC'Kp) (resp. p □ [[C'l(p)) is called a pre-solution (rcsp. a post- 
solution). A post-solution is also shortly called a solution. Observe that the least 
solution Ay is the greatest lower bound of all solutions of C. 

We now present a generic fiattening-based semi-algorithm for constraint solv- 
ing. Intuitively, this semi-algorithm performs a propagation of constraints start- 
ing from the valuation _L, but at each step we extract a flat "subset" of constraints 
(possibly by dupHcating some variables) and we update the current valuation 
with the least solution of this fiat "subset" of constraints. 



1 Solve(J' = {X,C) : a constraint system) 

2 p <— -L 

3 While [CI (p) 

4 construct a fiattening (T',k) of T, where 0" = {X',C') 

5 p' <— /9 O K 

p"^lC'}*{p') {"K(p")E[Cf(p) from Lemma 2.8} 

p^pU l?{p") 
8 return p 



The Solve semi-algorithm may be viewed as a generic template for applying 
acceleration-based techniques to constraint solving. The two main challenges are 
(1) the construction of a suitable fiattening at line 4, and (2) the computation 
of the least solution for fiat constraint systems (line 6). However, assuming that 
all involved operations are effective, this semi-algorithm is correct (i.e. if it ter- 
minates then the returned valuation is the least solution of input constraint 
system), and it is complete for fiattable constraint systems (i.e. the input con- 
straint system is fiattable if and only if there exists choices of fiattenings at line 4 
such that the while-loop terminates). We will show in the sequel how to instan- 
tiate the Solve semi-algorithm in order to obtain an efficient constraint solver 
for integers and intervals. 
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3 Integer Constraints 



Following [SW04, TG07], we first investigate integer constraint solving in order 
to derive in the next section an interval solver. This approach is motivated by 
the encoding of an interval by two integers. 

The complete lattice of integers Z = J.U {— oo,+oo} is equipped with the 
natural order: 



-00 <---<-2<-l<0<l<2<---< +00 



Observe that the least upper bound x V y and the greatest lower bound x A 
y respectively correspond to the maximum and the minimum. Addition and 
multiplication functions are extended from Z to as in [TG07]: 



x.O 

X.{+(X)) 

a;.(+oo) 
X + (+oo) 



0.x 

(+oo).a; 

{+(X)).X 

(+oo) + X 





+00 

— 00 

+ 00 



X + ( — oo) = ( — oo) + X = —00 
oo) = {—oo).x ~ — oo 
a;.(— oo) = (— oo).a; = +oo 



for all X 
for all .X > 
for all a; < 
for ah X > — oo 



A constraint system T = {X, C) is said cyclic if the set of constraints C is 
contained in a cychc SCC. An example is given below. 





Observe that a cyclic constraint system is fiat. A cyclic flattening (J", k) where 
CP' = {X' , C) can be naturally associated to any cycle Xq — *■ ci — > Xi • • • — > 
c„ Xn = Xq oi & constraint system 7, by considering the set X' of variables 
obtained from X by adding n new copies Zi,. . . ,Zn oi Xi,. . . , X„ with the cor- 
responding renaming k that extends the identity function over X by K{Zi) = Xi, 
and by considering the set of constraints C — {c^, . . . , c^} where c'^ is obtained 
from Cj by renaming the output variable X^ by Zi and by renaming the input 
variable Xi-\ by Zi-\ where Zq = Z^. 



In section 3.1, we introduce an instance of the generic Solve semi-algorithm 
that solves constraint systems that satisfy a property called bounded-increasing. 
This class of constraint systems is extended in section 3.2 with test constraints 
allowing a natural translation of interval constraint systems to contraint systems 
in this class. 
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3.1 Bounded-increasing constraint systems 



A monotonic function / G Z \s said bounded-increasing if for any xi < X2 

such that /(-L) < f{xi) and f{x2) < /(T) we have f{xi) < f{x2)- Intuitively / 
is increasing over the domain of a; G such that f{x) ^ {/(-L), /(T)}. 

Example 3.1. The guarded identity x ^ xAb where h E Z, the addition {x, y) i-^ 
x + y, the two multiplication functions mul-|- and mul_ defined below, the power 
by two x I— > 2^^*^, the factorial x t—>-\{x V 1) are bounded-increasing. However the 
minimum and the maximum functions are not bounded-increasing. 



A bounded-increasing constraint is a constraint of the form X > f{Xi, . . . , Xk) 
where / is a bounded-increasing function. Such a constraint is said upper-saturated 
(resp. lower-saturated) by a valuation p if p{X) > /(T) (resp. p{X) < /(-L)). 
Given a constraint system T = {X, C) and a bounded-increasing constraint 
c G C upper-saturated by a valuation po, observe that IC]*(/9o) = [C"l*(Po) 
where C = C\{c}. Intuitively, an upper-saturated constraint for po can be 
safely removed from a constraint system without modifying the least solution 
greater than po- The following lemma will be useful to obtain upper-saturated 
constraints. 

Lemma 3.2. Let 7 be a cyclic bounded-increasing constraint system. If po is a 
pre-solution of T that does not lower-saturate any constraint, then either po is a 
solution or |[C] (po) upper-saturates a constraint. 

Proof. (Sketch). Let — > Ci ^ Xi ^ ■ • • — > c„ ^ X„ = Xo be the unique 
(up to a cyclic permutation) cycle in the graph associated to T. Consider a pre- 
solution po of y that is not a solution. Let us denote by {pi)i>o the sequence of 
valuations defined inductivelly by Pi+i = PiV \P\{pi). There are two cases: 

— either there exists i>Q such that pi upper-saturates a constraint Cj. Since 
Pi < [C'FCpo), we deduce that [[C]*(/9o) upper-saturates Cj. 

— or Ci, . . . , c„ are not upper-saturated by any of the pi. As these constraints 
are bounded-increasing, the sequence {pi)i>o is strictly increasing. Thus 
^i>oPi){^j) = +00 for any I < j < n. Since Vj>o/'i ^ 1^1* {po), we 
deduce that |C]*(/9o) upper-saturates Ci, . . . , c„. 

In both cases, |C']*(po) upper-saturates at least one constraint. □ 



1 CyclicSolve (? = {X, C) : a cychc bounded— increasing constraint system, 

2 Po : a valuation) 

3 let Xq — > Ci ^ Xi ■ ■ ■ Cn —>■ Xn = Xo be the "unique" elementary cycle 

4 p^ Po 

5 for i = 1 to n do 
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for i = 1 to n do 

P^pV|cil(p) 
if p>ICl(p) 

return p 
for i = 1 to n do 

p{Xi) ^ +00 
for i = 1 to n do 

p^pA|ci](p) 
for i = 1 to n do 

p^pA|Icil(p) 
return p 



Proposition 3.3. The algorithm CyclicSolve returns |C']*(po) for any cyclic 
constraint system T and for any valuation po. 

Proof. (Sketch). The first two loops (lines 5-8) propagate the valuation po along 
the cycle two times. If the resulting valuation is not a solution at this point, then 
it is a pre-solution and no constraint is lower-saturated. From Lemma 3.2, we 
get that [C]*(po) upper-saturates some constraint. Observe that the valuation p 
after the third loop (lines 11-12) satisfies IC]*(/9o) E P- The descending iteration 
of the last two loops yields (at line 17) |C]*(po)- □ 

We may now present our cubic time algorithm for solving bounded-increasing 
constraint systems. The main loop of this algorithm first performs |C|-|-1 rounds 
of Round Robin iterations and keeps track for each variable of the last constraint 
that updated its value. This information is stored in a partial function A from X 
to C. The second part of the main loop checks whether there exists a cycle in the 
subgraph induced by A, and if so it selects such a cycle and calls the CylicSolve 
algorithm on it. 



SolveBI(J' = {X,C) : a bounded— increasing constraint system, 
po : an initial valuation) 

P^PoVlciM 

while lCl{p)gp 

A <— { A is a partial function from A" to C } 

repeat |C| + 1 times 
for each c € C 
ifp^icjip) 

P^p\/I4{p) 

X{X) ^ c, where X is the input variable of c 
if there exists an elementary cycle Xq — > A(Xi) — > Xi ■ ■ ■ A(X„) — > Xq 
construct the corresponding cyclic flattening (?', k) 
p' <— /9 O K 

p" ^ CyclicSolve(a",p') 
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15 



16 return p 



Note that the SolveBI algorithm is an instance of the Solve semi-algorithm 
where flattenings are deduced from cycles induced by the partial function A. The 
following proposition 3.4 shows that this algorithm terminates. 

Proposition 3.4. The algorithm SolveBI returns the least solution |C]*(/9o) of 

a bounded-increasing constraint system T greater than a valuation po. Moreover, 
the number of times the while loop is executed is bounded by one plus the number 
of constraints that are upper-saturated for |[C]*(/9o) but not for po- 

Proof. (Sketch). Observe that initially p = pa V |[C](/3o)- Thus, if during the 
execution of the algorithm p{X) is updates by a constraint c then necessary 
c is not lower-saturated. That means if X{X) is defined then c = X{X) is not 
lower-saturated. 

Let Pa and pi be the values of p respectively before and after the execution 
of the first two nested loops (line 5-9) and let P2 be the value of p after the 
execution of line 14. 

Observe that if there does not exist an elementary cycle satisfying the con- 
dition given in line 11, the graph associated to J restricted to the edges {X,c) 
if c = X{X) and the edges {Xi, c) if Xi is an input variable of c is acyclic. This 
graph induces a natural partial order over the constraints c of the form c = X{X). 
An enumeration a,. . . ,Cm of this constraints compatible with the partial order 
provides the relation pi < |ci . . .Cm](/Oo)- Since the loop 6-9 is executed at least 
m-\-l times, we deduce that pi is a solution of C. 

Lemma 3.2 shows that if pi is not a solution of ? then at least one constraint 
is upper-saturated for p2 but not for po. We deduce that the number of times 
the while loop is executed is bounded by one plus the number of constraints that 
are upper-saturated for [C]*(/9o) but not for po. □ 

3.2 Integer constraint systems 

A test function is a function or 6>b with b G Z of the following form: 



A test constraint is a constraint of the form X > Or^b{Xi, X2) where d,^b is a 
test function. Such a constraint c is said active for a valuation p if p{Xi) ~ b. 
Given a valuation p such that c is active, observe that |c](/9) and [[c'](p) are 
equal where c' is the bounded-increasing constraint X > X2. This constraint c' 
is called the active form of c and denoted by act(c). 

In the sequel, an integer constraint either refers to a bounded-increasing 
constraint or a test-constraint. 
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Solvelnteger (T = {X,C) : an integer constraint system) 

Ct <— set of test constraints in C 

C ^ set of bounded— increasing constraints in C 

while lCl{p)gp 

SolveBI((A',C"),p) 
for each c e Ct 

if c is active f or p 
Ct ^ Ct\{c} 
C ^C'U {act(c)} 

return p 



Theorem 3.5. The algorithm Solvelnteger computes the least solution of an in- 
teger constraint system J" = (X.C) by performing 0{{\X\ + |C|)^) integer com- 
parisons and image computation by some bounded-increasing functions. 

Proof. Let us denote by rit be the number of test constraints in C. Observe that 
if during the execution of the while loop, no test constraints becomes active (line 
7-10) then p is a solution of 7 and the algorithm terminates. Thus this loop is 
executed at most l+rij times. Let us denote by mi, ... , the integers such that 
rrij is equal to the number of times the while loop of SolveBI is executed. Since 
after the execution there is mj — 1 constraints that becomes upper-saturated, we 
deduce that ^i-iimi — 1) < n and in particular X]*_i mj < n + fc < 2.|C|. Thus 
the algorithm Solvelnteger computes the least solution of an integer constraint 
system ? = {X, C) by performing 0((| A"! + \C\)^) integer comparisons and image 
computation by some bounded-increasing functions. □ 

Remark 3.6. We deduce that any integer constraint system is MFP-flattable. 
4 Interval Constraints 

In this section, we provide a cubic time constraint solver for intervals. Our solver 
is based on the usual [SW04, TG07] encoding of intervals by two integers in Z. 
The main challenge is the translation of an interval constraint system with full 
multiplication into an integer constraint system. 

An interval I is subset of Z of the form {.x G Z; a < a: < 6} where a, b G Z. 
We denote by T the complete lattice of intervals partially ordered with the inclu- 
sion relation C. The inverse —I of an interval /, the sum and the multiplication 
of two intervals /i and I2 are defined as follows: 

-\ ^ 5 . = |J{a;i.a;2; {xi,X2) G h x h} 

We consider interval constraints of the following forms where / € X: 

X □ -Xi x^i x^Xi + X2 xnxini X3 X1.X2 
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Observe that we allow arbitrary multiplication between intervals, but we restrict 
intersection to intervals with a constant interval. 

We say that an interval constraint system ? = (Af, C) has the positive- 
multiplication property if for any constraint c G C of the form X □ Xi .X2 , the 
intervals A'y>{Xi) and /ly(X2) are included in IN. Given an interval constraint 
system V = {X,C) we can effectively compute an interval constraint system 5" = 
{X',C') satisfying this property and such that X Q X' and Aj>{X) = Ayi{X) 
for any X & X. This constraint system CP' is obtained from T by replacing the 
constraints X □ X\.X2 by the following constraints: 

X 3 Xi^u.X2^u Xi^u 3 ^1 n IN 

X 3 Xi,i.X2,i X2,u 3 n N 
X □ -Xi.„.X2,i □ {-Xi) n N 

X □ -Xi,i.X2,u X2,i 3 {-X2) n N 

Intuitively Xi^u and X2,u corresponds to the positive parts of Xi and X2, while 
Xi^l and X2^i corresponds to the negative parts. 

Let us provide our construction for translating an interval constraint system 
y = (X, C) having the positive multiplication property into an integer constraint 
system 3" = {X',C'). Since an interval / can be naturally encoded by two 
integers G Z defined as the least upper bound of respectively — / and /, 

we naturally assume that X' contains two integer variable X^ and X+ encoding 
each interval variable X £ X.ln order to extract from the least solution of J" the 
least solution of T, we are looking for an integer constraint system T' satisfying 
{Ay{X))- = Ay,{X-) and {Ay{X))+ = Aj„{X+) for any XeX. 

As expected, a constraint X □ —Xi is converted into X+ > X^ and X~ > 
Xi, a constraint X □ / into X+ > /+ and X~ > I~ , and a constraint X □ 
Xi + X2 into X~ > X^ + X2 and X~ > X^ + X^ . However, a constraint 
X □ XiH/ cannot be simply translated into X' > A/" and X+ > X^ M+ . 
In fact, these constraints may introduce imprecision when Af{X) n / = 0. We 
use test functions to overcome this problem. Such a constraint is translated into 
the following integer constraints: 

X- > e>_i+{x^,e>_i-{x+,x^ AT)) 
x+ > e>_i-{x+,e>_j+{x^,x+ AI+)) 

For the same reason, the constraint X □ X1.X2 cannot be simply converted 
into X~ > mul_(X]~,X^) and X+ > mul+(X^, X2'). Instead, we consider the 
following constraints: 

X~ > 9y-oDiXi,9:^-oc{X^,6y-oo{X2,6y-oo{X2,r^u\-{X^,X2))))) 

X+ > 0>_oo(Xi+,^>-oo(^r,^>-oo(X2+,^>-co(X2",mul+(X+,X2+))))) 

Observe in fact that X~ > mul_(Xj~,X^) and X+ > mul+(X^,X^) are precise 
constraint when the intervals h = ylj>(Xi) and I2 = A'p{X2) are non empty. 
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Since, if this condition does not hold then /1./2 = 0, the previous encoding 
consider this case by testing if the values of , , X2 , X2 are strictly 
greater than —00. 

Now, observe that the integer constraint system satisfies the equalities 
{Ay.{X))+ = Ar{X+) and {Aj,{X))- = Ar{X^) for any X G X. Thus, we 
have proved the following theorem. 

Theorem 4.1. The least solution of an interval constraint system T = {X,C) 
with full multiplication can by computed in time 0{{\X\ + |C|)^) with integer 
manipulations performed in 0(1). 

Remark 4-^- We deduce that any interval constraint system is MFP-flattable. 



5 Conclusion and Future Work 



In this paper we have extended the acceleration framework from symbolic verifi- 
cation to the computation of MFP-solutions in data-flow analysis. Our approach 
leads to an efficient cubic-time algorithm for solving interval constraints with 
full addition and multiplication, and intersection with a constant. 

As future work, it would be interesting to combine this result with strategy 
iteration techniques considered in [TG07] in order to obtain a polynomial time 
algorithm for the extension with full intersection. We also intend to investigate 
the application of the acceleration framework to other abstract domains. 
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A Proof of Lemma 3.2 



Lemma 3.2. Let '? be a cyclic bounded-increasing constraint system. If po is a 
pre-solution of V that does not lower-saturate any constraint, then either po is a 
solution or [C] (po) upper-saturates a constraint. 

Proof. Let Xq ci ^ Xi ^ ■ ■ ■ ^ Cn ^ X.,,, = be the unique (up to a 
cyclic permutation) cycle in the graph associated to T. 

Let us prove that for any pre-solution p that is not a solution and that 
does not lower-saturate any constraint, there exists a constraint c G C such 
that p' = |c] {p) is a pre-solution satisfying p' > p that either upper-saturates 
a constraint or that is not a solution. Since p is not a solution, there exists a 
constraint d-i such that the valuation p' = |ci_i] (p) satisfies p' ^ p. As Ci 
only modifies the value of Xi-i, we get p'{Xi-i) > p{Xi-i). Observe that if p' 
upper-saturates Ci_i we are done. Let us assume that p' does not upper-saturate 
Ci-i. Lot us show that p' is not a solution of C. As p is a prc-solution and Ci 
is the unique variable that modifies ATj, we have p{Xi) < |cj] {p){Xi). Since 
p{Xi-i) < p'{Xi-i) and Ci is neither upper-saturate nor lower-saturate for p' 
and p we get |ci] {p){Xi) < |q] {p'){Xi) from p < p' . The relations p{Xi) = 
p'{Xi), p{Xi) < lal {p){Xi) and lal {p){Xi) < lal {p'){Xi) provide the relation 
Icij {p'){Xi) > p'{Xi). Thus p' is not a solution. 

Assume by contradiction that JC]* (po) does not upper-saturate a constraint. 
Since po is a pre-solution that is not a solution and such that any constraint c € C 
is not lower-saturated, from the previous paragraph, we get an infinite sequence 
Po < . . . < pfc < . . . of valuations satisfying pk < |C]* (po). We deduce that there 
exists a variable Xi such that \/k>oPk{Xi) = -\-oo. Thus |C]* {pQ){Xi) = -\-oo and 
we have proved that |[C]* (po) upper-saturates Cj+i. This contradiction proves 
that |C] (po) upper-saturates at least one constraint in C. □ 

3 Proof of Proposition 3.3 

Proposition 3.3. The algorithm CyclicSolve returns |C]* (po) for any cyclic 
constraint system T and for any valuation po- 

Proof. Let pi, p2, ps, P4, and p5 be the value of p just after the 1st, the 2sd, the 
3th, the 4th and the 5th loops. 

Let us first show that if the ioth iteration of the second loop does not modify 
the valuation p then p2 is a solution of CP. Observe that the iterations io, . . . ,n of 
the first loop and the iterations 1, . . . , iq — 1 of the second loop provide a valuation 
p such that p{Xi) > Jcj] {p)(Xi) for any i ^ io- As the ioth iteration of the second 
loop does not modify p we deduce that p{Xi„) > [[ci„] (Xig). Therefore p is a 
solution. We deduce that p remains unchanged during the remaining iterations 
io, . . . ,n of the second loop. Thus p2 is a solution of T. 

Assume that p2 is not a prc-solution of CP. There exists io such that Jci,-,] (p)(Xj^) ^ 
p{Xig). We deduce that the value of p has not been modified at the ioth iteration 
of the 2sd loop. Thus, from the previous paragraph, p2 is a solution. 
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Next, assume that a constraint Cig is lower-saturated by p2- Since after the 
io-iteration of the first loop we have p{Xig) > Idgj (±), we deduce that the ioth 
iteration of the second loop does not modify p. From the first paragraph we also 
deduce that p2 is a solution of T. 

As the Hne 9 of the algorithm detects if P2 is a solution, we can assume that 
P2 is not a solution. From the two previous paragraph we deduce that p2 is a 
pro-solution of J" and the constraints are not lower-saturated. From Lemma 3.2 
we deduce that |C]* (^2) upper-saturates at least one constraint denoted by Cig. 
Observe that fCf (pa) = [Cf (po). 

Let us show that |[c] ([C]* (po)) = [CI* (po) for any constraint c e C. Since 
P2 is a pre-solution we get |C] (|C]* (P2)) = |C1* (p2)- Moreover, as the output 
variables of two distinct constraints are distinct, we deduce that Jc] ([[C]* (P2)) = 
|C]* (P2) for any constraint c e C. As [[C]* (po) = |C]* (P2) wc get the property. 

Wo doduco that tho valuation p' = p A Jc] (p) satisfies |C]* (po) < p' for any 
valuation p such that |[C]* (po) < p and for any constraint c S C. 

After tho 3th loop of the algorithm, we have |C]* (po) < ps, the previous 
paragraph proves that |C]* (po) < p is an invariant of the remaining of the 
program. Observe that at the io-th iteration of the 4th loop, we have p{Xig) = 
|C]* {po){Xig). Thanks to the remaining iterations io + I, ■ ■ ■ ,n of the 4th loop 
and the first iterations 1, . . . «o ^ 1 of tho otli loop, we get p{Xi) — JC]* {po){Xi) 
for any i since |c] (|C]* (po)) = |C']* (po) for any constraint c G C. Thus at 
this point of the execution we have p = [[C]* (po). Observe that p is unchanged 
during the remaining iterations of the 5th loop. Thus, the algorithm returns 

icripo). □ 



3 Proof of Proposition 3.4 

Proposition 3.4. The algorithm SolveBI returns the least solution |C]* (po) of 
a bounded-increasing constraint system T greater than a valuation po. Moreover, 
the number of times the while loop is executed is bounded by one plus the number 
of constraints that are upper- saturated for JC]* (po) but not for po. 

Proof. Note that A is a partially defined function from X to C. At the beginning 
of the while loop this function is empty. Then, it is updated when the algorithm 
replaces a valuation p by p V Jc] (p) . Denoting by X tho output variable of c, the 
value X{X) becomes equal to c. That means A keeps in memory the last con- 
straint that have modified a variable. Observe also that initially p = poV|C] (po). 
Thus, if during the execution of the algorithm p{X) is updates by a constraint 
c then necessary c is not lower-saturated. That means if X{X) is defined then 
c = X{X) is not lower-saturated. 

Let Po and pi be the values of p respectively before and after the execution 
of the first two nested loops (line 5-9) and let p2 be the value of p after the 
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execution of line 14. 

Wc are going to prove that if tiic sets of upper-saturated constraints for po and 
pi are equal and if there does not exist a cycle satisfying the condition given line 
10, then pi is a solution of "P. Let us consider the subset set of constraints C = 
{\{X): X e X} and let us consider the graph G" associated to the constraint 
system {X,C'). We construct the graph Gi obtained from G by keeping only 
the transitions {X, c) if c = X{X) and the transitions (Xj, c). Observe that Gi is 
acychc. Thus, there exists an enumeration ci,. . . ,Cm of the set of constraints C" 
such that if there exists a path from to Ci^ in Gi then ii <i2- Let us denote 
by Xi the output variable of Ci. 

Let us prove by induction over i that for any j e {1, . . . , i} we have Pi{Xj) < 
|ci . . . Cj\ {pQ){Xj). The rank i = is immediate since in this case {!,... ,i} is 
empty. Let us assume that rank i — 1 < n is true and let us prove the rank i. 
Since \{Xi) = Ci we deduce that the valuation pi{Xi) has been modified thanks 
to Ci. Thus, denoting by p the valuation in the algorithm just before this up- 
date, we deduce that pi{Xi) = Jci] {p){Xi) and po < p < pi- Let us prove that 
Pi^ij) ^ [ci • • -Ci-i] {pQ){Xij) for any input variable Xij of Ci. Observe that 
if Xij G X' then pi(Xij) = p{Xij) ~ po{Xij) by construction of A and in 
particular p{Xij) < |ci . . . Ci_i] {po){Xij) since ci, . . . , Cj_i do not modify the 
variable Xij. Otherwise, if Xij € X' , there exists i' < i satisfying Xij = 
Xii . By induction hypothesis, we have pi{Xii) < \ci . . .Cii\{po){Xii). Since 
Ci, . . . , Cm have distinct output variables, we deduce that |[ci . . . Cj'] (po)(-^i') = 
|ci . . . Ci_i] {pQ){Xi,). Thus pi(X,:j) < Jci . . . Cj_i] (/9o)(Xi,j) and from p < pi, 
we get p{Xij) < |ci ...Ci-iJ {po){Xij) for anv input variable Xij. Therefore 
[Cil < Ici . . . c4 {po)iX,). From 1^1 ip){Xi), we get pi(Xi) < 

|ci . . . Cj] {po){Xi) and we have proved the induction. 

We deduce the relation pi < |ci . . . Cml (po) since ci, .... c,„ have distinct 
output variables. Observe that after the first execution of the loop 6-9, we get 
P > [ci] (po), after the second p > |ci.C2] (po)- By induction, after m executions 
we get /9 > |ci . . . Cm] (po) > pi - Since m < |C|, this loop is executed at least one 
more time. Note that after this execution, we have p > |c] (pi) for any c G C. 
Since pi > p, we have proved that pi > |[C] (pi). Therefore pi is a solution of 
C. 

Next, assume that there exists a cycle Xq ^ ci — > Xi • • • c„ — > X„ = Xq 
that satisfies = A(Xi). From the first paragraph we deduce that ci, . . . , c„ are 
not lower-saturated. Let us prove that there exists a constraint upper-saturated 
for p2 that is not upper-saturated for po. Naturally, if there exists a constraints 
upper-saturated from pi that is not upper-saturated for po, since pi < P2, we 
are done. Thus, we can assume that the constraints ci, c„ are not upper- 
saturated for pi. By definition of A, we get Pi(Xj) < [c,] (p). Thus p' is a pre- 
solution of y. Let Xi be the last variable amongst Xq, .... X„_i that have been 
updated. Since Cj+i is not upper-saturated and not lower-saturated for pi and 
since the value of X, has increased when this last update appeared, we deduce 
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that p'{Xi+i) ^ |ci+i] Thus p' is not a solution and from lemma 3.2 

we deduce that p" upper-saturates at least one constraint Cj. Thus P2 upper- 
saturates a constraints that is not upper-saturated by pi. 

Finally, note that each time the while loop is executed at least one bounded- 
increasing constraint becomes upper-saturated. As every upper-saturated con- 
straint remains upper-saturated, we are done. □ 
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